1 / 17

Protecting Your Information Assets: Privacy and Data Security

Protecting Your Information Assets: Privacy and Data Security . Maureen Cooney Counsel to Hunton & Williams LLP Senior Policy Advisor The Center for Information Policy Leadership at Hunton & Williams LLP; 202.955.1517 mcooney@hunton.com To: American Records Management Association .

ermin
Download Presentation

Protecting Your Information Assets: Privacy and Data Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Your Information Assets:Privacy and Data Security Maureen CooneyCounsel to Hunton & Williams LLP Senior Policy Advisor The Center for Information Policy Leadership at Hunton & Williams LLP; 202.955.1517mcooney@hunton.com To: American Records Management Association

  2. Our Firm • Founded in 1901, Hunton & Williams is one of the nation’s leading law firms with over 875 attorneys in 18 offices, serving clients in more than 100 countries.

  3. Privacy and Information Management Practice • 20 privacy professionals in the U.S., EU and Asia • Our privacy clients include: • Kraft Foods - Visa • General Dynamics - British Telecom • Holtzbrinck Publishers - Google • Kodak - TJX • Estee Lauder - IKEA • Pitney Bowes - Computer Associates • The Center for Information Policy Leadership at Hunton & Williams

  4. Four Privacy Risks • Legal compliance • Reputation • Investment • Reticence

  5. Managing Privacy and Data Security • Managing customer relationships and privacyand Information security risks are significant business issues that require more than IT assessments and IT security solutions. • PREPARATION is key, utilizing a multidisciplinary approach and expertise throughout a business enterprise. • Effective management requires a strategy for data collection, use, retention and disposal.

  6. Privacy as a Business Strategy • Developing a Business strategy for data collection and use minimizes risks and should include: • Identified business purposes for collecting or sharing a customer’s personal information; • Commitment to customer privacy and security; • Appropriate technology choices in the development of programs and safeguarding of information; • Information privacy and security risk assessments that include an analysis of the impact to the organization; • Compliance and risk mitigation plans; • Operational policies and procedures that augment IT solutions, i.e.,, role-based access and use authorizations • Employee Training and Accountability • Implementation of Oversight Audits

  7. Internal Data Governance Model • Begins with a Privacy Assessment and Data Mapping of each enterprise program and record collection system that collects information about any individual through one or multiple information systems. • Determine the purpose and necessity of the information collected, used, retained, or shared, the appropriateness of technology choices, as well as data security. • What laws apply? What are U.S. and international consumer expectations? Transparency? What is the impact to the organization and its customers from a possible breach, security vulnerability or loss of consumer confidence from the handling of their personal information? • Benchmark policies and operational practices against fair information practices principles, legal requirements, and consumer expectations. • Establish written policies and procedures and internal risk management and accountability mechanisms.

  8. Information Security • Security Breaches continued to be a top news item in 2006 – effecting consumer confidence and U.S. businesses • By the 3rd Quarter of 2006, 192 information security breaches were reported by the Identity Theft Resource Center • 120 million individuals were potentially affected • Costs to business soared -- $182 per compromised record (up 30 % from 2005) according to the Poneman Institute • Harris Poll of Sr. Executives – 61 % listed security breaches as higher concern than other crises, including terrorism, corporate malfeasance, product recalls, or workplace violence.

  9. Information Privacy and Security: U.S. Legal Requirements • GLB’s Safeguards Rule • Applies to financial institutions, but . . . • HIPAA’s Security Rule • California’s AB 1950 and progeny • FACTA’s records disposal rule and state records disposition laws • State security breach notification laws • FTC Act Section 5

  10. Patch Work of Legislative Responses • More than 35 State laws passed addressing consumer privacy – including security requirements and breach notification • Many federal bills introduced • Law passed addressing government data security

  11. Who Else Cares? • Other interested parties • Credit reporting agencies • Credit card companies • Consider contractual obligations • File an incident report • Conduct an audit • Regulatory agencies • FTC and other relevant federal regulators • State agencies – NJ, NY, NC, NH, ME, HI

  12. Protection and Prevention • Consistent with your business strategy for privacy and data security plan in the following areas: • Collect the minimum amount of personal information to accomplish your business purposes • From data flow inventories, classify information in records according to sensitivity and build in higher protections for more sensitive information • Build in appropriate policies, physical and technological safeguards for records • Require service providers and vendors to follow your privacy and security policies and procedures • Dispose of records in a secure manner

  13. Where is the Greatest Risk? • Employees • Many security breaches are perpetrated by company employees • Conduct background checks • Train employees to spot issues • Provide whistleblower mechanisms • Monitor employees (as legally permissible)

  14. Where is the Greatest Risk? (cont’d) • Vendors • Conduct due diligence • Identify and examine key vendor contracts • Analyze scope and substance of confidentiality and data security obligations • Examine data return and destruction provisions • Request that existing key vendors provide information about privacy and information security policies and practices • Conduct ongoing monitoring

  15. Plan in Advance • Identify and train a data breach response team • Know where personal information is stored • Develop written policies and procedures • Understand your legal obligations • Involve PR/communications group and IT group • Conduct post-incident performance review and revise procedures accordingly

  16. Minimizing the Risk • Concern and focus must come from the top • Integrate the concern for information security into your organizational ethic and train employees • Need accountability and strong audit procedures • Re-evaluate security systems and policies on an ongoing basis • Take prompt action in the event of a breach • Be able to explain what you have done and why • Prevention is the primary goal

  17. Maureen Cooney Counsel, Privacy and Information Management PracticeSenior Policy Advisor for Global Privacy Strategies, Center for Information Policy Leadership Hunton & Williams LLP(202) 955-1517mcooney@hunton.com Questions?

More Related